PCI Compliance27 May 202627 min read

TCPA Compliance for Payment Calls

TCPA exposure for payment-related calls is one of the most expensive compliance risks in US contact centers — $500 to $1,500 per call, uncapped, class-action eligible. Here's what the law actually says about collections calls, payment reminders, MFA-via-SMS and the rest.

By Paytia Editorial Team
TCPA Compliance for Payment Calls

TL;DR

TCPA exposes US payment callers to $500 per violation (negligent) or $1,500 (willful), uncapped, class-action eligible — and the Supreme Court's Facebook v. Duguid ruling didn't shrink the surface as much as people think. Manual-dial collections is mostly safe from the ATDS rules, but SMS reminders, MFA codes, prerecorded voice, state mini-TCPAs (Florida FTSA, Oklahoma OTPA, Washington WAC), and revocation handling all carry live risk. Query the Reassigned Numbers Database before every outbound campaign, log every consent timestamp, and treat verbal revocation as binding the moment it's spoken.

Last updated: 27 May 2026

If you take payments by phone in the US, the Telephone Consumer Protection Act sits behind almost everything your team does. Collections calls, payment reminders, fraud-alert SMS, MFA codes, marketing follow-ups, even courtesy "your payment cleared" messages — all of it is in TCPA scope depending on how it's sent and to which number. Get it wrong and you're looking at $500 to $1,500 per call, uncapped, class-action eligible. Settlements have hit nine figures: DISH Network paid $280M in 2017, Capital One $75M in 2014, Wells Fargo $32M. If your operation also takes card-not-present payments over those same calls, the TCPA layer sits on top of a PCI DSS layer that we cover separately.

This guide walks through what the TCPA covers, what counts as an autodialer after the Supreme Court's Facebook v. Duguid decision, how the Reassigned Numbers Database changes your exposure, and where the law touches a typical payment-call workflow. It's written from the perspective of a PCI DSS Level 1 service provider that runs masked card capture for US contact centers — the TCPA and PCI scopes overlap more than people think.

What the TCPA actually is#

A cheerful call center agent talking on the phone with a headset.

The Telephone Consumer Protection Act was signed by President George H.W. Bush on December 20, 1991, codified at 47 U.S.C. § 227. Congress passed it in response to a then-novel problem: companies using auto-dialing equipment to push prerecorded sales pitches into people's homes at dinner time. Thirty-five years later, the underlying language still drives consumer-protection litigation across collections, payments, marketing, and even MFA flows that travel by SMS.

At its core, the TCPA restricts four things:

  • Robocalls and prerecorded voice messages to any residential line without prior express consent.
  • Autodialed calls and text messages to cell phones without prior express consent (and prior express written consent for telemarketing).
  • Unsolicited fax advertisements.
  • Operating an autodialer without proper time-of-day restrictions and abandonment safeguards.

The FCC enforces TCPA at the federal level, but the much more powerful enforcement engine is the law's private right of action. Any individual who receives a non-compliant call or text can sue for statutory damages of $500 per violation, trebled to $1,500 if the violation was knowing or willful. There's no cap. And because these calls usually go out in volume, class-action lawyers find them irresistible.

What counts as an "autodialer" after Facebook v. Duguid#

For two decades the courts argued over what counts as an Automatic Telephone Dialing System — "ATDS" or autodialer — under the statute. The phrase in the law is "equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator." Some circuits read that narrowly. Others read it broadly enough to capture almost any modern dialing platform that stored a list of customer numbers.

In April 2021, the Supreme Court resolved the split in Facebook, Inc. v. Duguid. The Court held unanimously that to qualify as an ATDS, a device must have the capacity to use a random or sequential number generator to either store or produce phone numbers. Calling from a curated list of known customer numbers — which is what most contact centers actually do — falls outside the ATDS definition.

That sounds like a get-out-of-jail card, and for autodialed marketing it largely is. But the ruling didn't touch the other TCPA prohibitions. Prerecorded voice messages and artificial voices still require prior express consent regardless of how they're dialed. So do robocalls to residential numbers under most circumstances. And the consent requirements for SMS marketing didn't change either.

The practical effect for payment-call operations: if you're dialing manually or with a click-to-dial system that requires human intervention for each call, and you're not playing a prerecorded message, the ATDS rules are usually behind you. If you're sending automated SMS payment reminders, fraud alerts, or MFA codes, the SMS-to-cell-phone consent rules still bite.

How narrow is "narrow" — reading Duguid carefully

The Duguid opinion (Justice Sotomayor writing for a unanimous court, 9-0) reads the ATDS clause through grammar, not policy. The court applied the "series-qualifier canon" — the modifier "using a random or sequential number generator" qualifies both verbs in the list, "store" and "produce." That's why "a list of numbers I curated and stored" doesn't make a system an ATDS, even though the system literally stores numbers.

What the opinion did not address: prerecorded or artificial voice messages (47 U.S.C. § 227(b)(1)(A) and (B)) — those still need consent regardless of how the dialing happens. The opinion also explicitly carves out, in footnote 7, that systems generating random numbers to dial sequentially through a list (e.g. "start at extension 1000, dial each extension in order") would still count as ATDS. And several appellate decisions since 2021 have wrestled with whether systems that use a random number generator to pick the order in which stored numbers are dialed qualify — courts have split, with the Ninth Circuit reading the carve-out narrowly and the Second Circuit reading it more expansively.

The post-Duguid litigation reality is that plaintiffs' bar has pivoted hard. ATDS claims dropped sharply; SMS-marketing claims, prerecorded-voice claims, and DNC violations climbed. State-law mini-TCPAs (covered below) became the preferred venue because they define autodialer more broadly than federal law and don't carry the Duguid constraint at all.

Hand signing a formal contract with a pen on a wooden desk, representing written consumer consent

TCPA consent comes in two flavors, and the distinction matters.

Prior express consent covers most non-marketing calls — service-related messages like delivery updates, appointment reminders, payment receipts, fraud alerts, and account-status notifications. The standard the FCC has applied is that providing your phone number to a business in the context of a transaction is generally enough to constitute prior express consent for transaction-related messages to that number. So a customer who gives you their cell number to set up an account has consented to service-related texts about that account.

Prior express written consent is the much stricter standard required for telemarketing autodialed calls, prerecorded telemarketing calls, and marketing SMS. It requires a written agreement (electronic signatures count) that clearly authorizes the calls, identifies the calling party, includes the specific telephone number being authorized, and includes a clear and conspicuous disclosure that the consumer is not required to consent as a condition of any purchase.

For payment-focused operations, the consent question usually comes up in three flows:

  1. Collections and dunning calls. If the original account agreement collected the cell number for the purpose of contacting the customer about the account, you generally have express consent for service-related calls including collections — but only while the account is open and only to the number the customer provided. Once the account closes, courts have held the consent goes with it.
  2. Payment reminders and confirmations. SMS reminders that a payment is due, or that one has cleared, are service-related rather than marketing — but only if they don't contain any cross-sell or upsell language. Add a line like "and check out our new premium plan!" and the message becomes telemarketing requiring written consent.
  3. MFA-via-SMS for payment authentication. The FCC has indicated that one-time security codes sent at the customer's request fall within an exemption for transactional messages — but the message has to be limited to that single purpose, sent within a defined window, and not used as a cover for marketing.

The single biggest TCPA mistake we see in payment operations is treating consent as evergreen. It isn't. If a customer revokes consent — by any reasonable means, including a verbal request to an agent on a call — the consent ends from that moment forward, and every subsequent call or text is a violation.

The four boxes of prior express written consent

The FCC laid out specific elements that a prior-express-written-consent record has to contain to count. Miss any one of them and a court can find the consent invalid, which means the entire campaign sits in violation territory. The four boxes:

  1. Signature. A wet signature, or any of the electronic-signature methods allowed under E-SIGN — including a checkbox at the bottom of an online form, an SMS reply of "YES," or a recorded voice authorization captured on a compliant call. The signature has to be attached to the disclosure, not in a different document.
  2. Clear and conspicuous disclosure that the consumer is agreeing to receive autodialed or prerecorded marketing calls or texts. "Clear and conspicuous" has been litigated heavily — fine print at the bottom of a 40-line terms-of-service document usually fails.
  3. Identification of the seller (the entity that will be marketing) and the specific telephone number that will receive the calls.
  4. An explicit statement that the consumer is not required to provide consent as a condition of purchasing any property, goods, or services. This box is the one missed most often, and it's a hard rule — even a perfectly worded marketing disclosure without this single sentence will fail.

Prior express consent (without the written upgrade) is much lower friction — the customer provides a phone number in connection with a transaction, and that act alone is treated as consent for transaction-related calls and texts to that number. But the consent only extends to messages about that transaction or account, not to marketing.

Revocation — what counts, what doesn't, how fast you have to act

The FCC's 2015 Declaratory Ruling and a long line of cases since then have established a clear rule: consumers can revoke TCPA consent by any reasonable means. The contact center industry has tried at various points to require a specific channel ("text STOP to opt out," "call this 800 number"), and courts have consistently rejected that — if the consumer makes the revocation reasonably clear, it counts, regardless of channel.

What that means operationally:

  • Verbal revocation to an agent on a live call counts. The agent has to capture it, flag the number, and propagate that flag to every dialing system the company uses. The propagation window matters — if the do-not-contact flag takes 24 hours to reach the SMS marketing platform and a marketing text goes out in hour 12, that's a violation.
  • "STOP" replies to SMS count. Most modern SMS platforms handle this automatically. Less obvious variants — "unsubscribe," "quit," "end," "cancel" — are also generally treated as effective revocation under the CTIA Short Code Monitoring Handbook. "REMOVE" too. Train your platform to recognize them all.
  • Written letters count. A consumer who mails a written request to stop calling has revoked consent from the date of receipt. Your mailroom-to-do-not-contact-flag workflow needs to handle this; many companies have nothing.
  • Revocation through any channel revokes consent across all channels for that number. A consumer who says "stop calling me" on a call has also revoked SMS consent — the consent ran to the phone number, not to the medium.

The DNC scrubbing cadence that defensible operations follow: scrub against the federal Do-Not-Call Registry every 30 days at most (Telemarketing Sales Rule 16 C.F.R. § 310.4(b)(3)(iv) requires this for marketing calls), scrub against your internal do-not-contact list daily, and scrub against the Reassigned Numbers Database before each outbound campaign or at minimum monthly for ongoing campaigns. State DNC lists (where the state runs one — Indiana, Tennessee, Missouri, others) have their own cadence requirements.

Running collections, payment reminders, or MFA-via-SMS in volume? Have a quick chat with us — we'll show you how Paytia keeps the payment leg PCI-clean without poking holes in your TCPA posture.

The Reassigned Numbers Database — your safe harbor since 2021#

Roughly 35 million US phone numbers get reassigned to new subscribers every year. For TCPA defendants, that's a nightmare: you have valid consent from the original subscriber, the number gets reassigned to someone else, you call that number believing you have consent, and the new subscriber sues. Courts spent a decade fighting over whether the original consent transferred (it doesn't), whether the caller's good-faith belief mattered (mostly not), and what counts as "reasonable reliance."

The FCC's Reassigned Numbers Database went live in November 2021 to solve exactly this problem. It's a single national database, updated daily, that lets callers check whether a phone number has been permanently disconnected. The crucial part for TCPA defendants: it carries a safe harbor. If you query the database before placing a call, you receive a response that the number has not been disconnected, and the consumer who received the call sues, you have a complete defense to liability for that call — even if the database's response turns out to be wrong.

For payment operations dialing in any volume, the RND is now table stakes. The query costs are modest, the integration is straightforward, and the safe harbor it provides is one of the few clear wins TCPA defendants have. If your collections or reminders platform doesn't query the RND before each outbound campaign, get that fixed before you spend another dollar on legal reserves.

Interplay with the FDCPA for debt collection#

If you're collecting debts that originated with a different creditor — third-party collections — you're operating under both the TCPA and the Fair Debt Collection Practices Act. The FDCPA brings its own rules about hours of contact (between 8 a.m. and 9 p.m. in the consumer's time zone), required disclosures, prohibited practices, and validation notices. It's enforced by the CFPB and the FTC, and it also carries a private right of action.

The two laws don't always line up neatly. Express consent under the TCPA isn't the same thing as authorization to contact under the FDCPA. A consumer can revoke FDCPA consent (by writing to the collector demanding contact stop) and simultaneously remain TCPA-consented for the underlying calls — which means the calls would violate the FDCPA even if they don't violate the TCPA. The practical answer is to treat the more restrictive law as the operating constraint, which usually means the FDCPA.

The CFPB's Regulation F, effective November 2021, also caps the number of call attempts a debt collector can make to a particular consumer about a particular debt — generally seven calls within a seven-day period, with a seven-day cooling-off period after telephone contact is made. That's an FDCPA constraint, not a TCPA one, but it lives in the same dialing platform you'd use for TCPA-governed calls.

State-level TCPA laws — Florida, Washington, Oklahoma and counting#

The federal TCPA isn't the whole picture. Several states have enacted their own "mini-TCPA" statutes that go further than federal law, and they keep multiplying.

Florida's FTSA (Florida Telephone Solicitation Act, as amended in 2021) treats almost any automated call or text from a system that selects or dials numbers automatically as requiring prior express written consent, even outside the Facebook v. Duguid definition of an autodialer. Statutory damages are $500-$1,500 per call.

Washington's WAC rules go beyond federal law on call frequency and consent for commercial telephone solicitations, with enforcement by the state Attorney General and a private right of action.

Oklahoma's OTPA (Oklahoma Telephone Solicitation Act, effective November 2022) closely mirrors Florida's FTSA and has produced a wave of class-action filings since enactment. Many of the FTSA plaintiff firms simply re-filed their templates with Oklahoma plaintiffs.

Other states to watch:

  • Maryland's Stop the Spam Calls Act (effective January 2024) goes further than the federal TCPA on consent for prerecorded calls and adds a do-not-call list maintained by the state.
  • Texas Telephone Solicitation Act requires a state-issued telephone solicitation registration certificate for some telemarketing calls into Texas, with civil penalties for unregistered solicitors.
  • New York General Business Law § 399-p and § 399-z regulate prerecorded telemarketing and impose specific disclosure requirements that go beyond federal TCPA.
  • California's CIPA (California Invasion of Privacy Act) has been used aggressively against companies that record outbound calls without two-party consent — relevant because most of your TCPA-defensible posture relies on call recording, which can itself become a CIPA violation in California if not handled correctly.

If you're dialing into these states from any state, the local law applies. Some operators try to avoid the issue by geo-fencing campaigns; others build their consent infrastructure to the strictest standard and apply it everywhere. The second approach scales better, and it's the only approach that survives expansion into new states without a six-month re-architecture project. For US contact center operators thinking about this stack-up of obligations, our cloud contact center solutions guide covers how the platform layer fits.

RND safe harbour mechanics

The Reassigned Numbers Database matters enough to walk through carefully. It's administered by Somos Inc. under FCC contract, and access is via paid subscription or per-query pricing through one of the authorized resellers. Pricing for typical contact-center volumes runs into a few cents per query at the higher tiers, down toward fractions of a cent at scale.

The safe harbour attaches when three conditions are met: (1) the caller queried the RND for the specific phone number within a reasonable time before the call, (2) the database returned "no" (meaning the number has not been disconnected and reassigned since the consent date the caller submitted), and (3) the caller relied on that response in placing the call. If all three conditions hold, the caller has a complete defense to TCPA liability for that call even if the database response was incorrect.

The query takes a phone number plus a consent date and returns a binary response. That's it. No CRM-level data exchange, no PII transfer, no integration with your dialer beyond a pre-call API hit. Most platforms have native RND integration; if yours doesn't, a thin middleware layer can do it in a few days.

What this means for a typical payment-call workflow#

Close-up of a man holding a smartphone and credit card while making a payment indoors

Walk through a fairly normal US payment operation and the TCPA touchpoints stack up quickly.

A customer signs up online and provides a cell number to set up the account. Service-related calls and texts to that number are generally fine under the TCPA's prior-express-consent standard. If the signup flow also asked separately and conspicuously for written consent to marketing texts, marketing SMS is also in bounds.

The customer falls behind on a payment. Your collections team calls. Manually dialed calls without prerecorded messages are outside the ATDS rules post-Facebook v. Duguid, but they're still subject to the FDCPA's hours-of-contact and call-cap rules. SMS reminders for the same account are still subject to the consent rules — service-related is fine, marketing layered in is not.

The agent reaches the customer and takes a card payment. The card-capture leg is where PCI DSS takes over. DTMF masking keeps the card number out of the call recording and out of your contact center systems — separate from the TCPA picture but operating on the same call. Once the payment clears, sending an SMS confirmation is service-related and falls within consent.

The same customer calls back later, gets a fraud alert via SMS, and uses an MFA code to authenticate into the self-service portal. All three of those messages are within the transactional exemption provided they're tightly scoped, sent at the user's request or in direct response to an account event, and don't carry marketing payload.

The customer eventually closes the account. Future calls to that cell number for any purpose are no longer consented, and the number should be flagged as do-not-contact in your dialing system. If the number is reassigned by the carrier later, the RND should catch it before your next outbound campaign.

Operational controls that actually help#

The defensible TCPA posture isn't about one big control — it's about half a dozen small ones that compound.

Capture and store the consent record at the moment it's given. The court case will turn on whether you can show, three years later, exactly what the customer agreed to and when. A timestamped consent log that ties each phone number to the specific written agreement and the specific purposes consented to is worth its weight in legal reserves.

Honor revocations immediately and by any reasonable means. Verbal revocation to an agent on a call counts. "Stop" replies to SMS count. A written letter counts. The contact center system needs a do-not-contact flag that propagates within minutes, not days.

Query the Reassigned Numbers Database before each outbound campaign. The safe harbor only attaches if you can show the query happened before the call.

Audit your SMS templates for inadvertent marketing content. Most TCPA SMS suits we see arise from messages the company genuinely believed were transactional but contained a sentence that the plaintiff's bar could argue was promotional.

Train agents on what they can and can't promise about call frequency. "We'll only call you about your payment" can become a binding commitment if the customer relies on it.

Keep your federal and state consent standards aligned to the strictest jurisdiction you operate in. The cost of consent collection at the higher standard is trivial compared to the cost of being wrong.

Build a quarterly TCPA self-audit into your operations calendar. The audit should sample 100-200 outbound calls and SMS messages from the prior 90 days, walk each back to the underlying consent record, confirm the RND was queried (and capture the response), and confirm the call fell within permitted hours. Where samples turn up gaps, treat them as remediation priorities rather than incidents — the volume catches up to you faster than the legal cost catches up to the volume. Pair this with an annual external review by counsel familiar with TCPA class-action defense; the cost is usually well under a single statutory damages calculation on a mid-size class.

One pattern that genuinely helps: pull TCPA, PCI, and PCI compliance for telephone payments obligations onto a single compliance dashboard rather than treating them as separate workstreams. The teams that run them are usually the same teams, the calls in scope overlap heavily, and the auditors for each regime will ask about the others. A unified view makes both regimes cheaper to maintain, faster to audit, and far easier to defend.

Lessons from the big settlements#

The headline TCPA settlements aren't outliers — they're concentrated examples of the same operational gaps that smaller defendants get hit with every week. Three are worth studying.

DISH Network's $280M settlement (2017) came out of a Justice Department and state attorneys general action over prerecorded telemarketing calls made by a third-party retailer that DISH had authorized to sell its services. The court ruled DISH was vicariously liable for the calls under principal-agent doctrine even though DISH didn't make the calls itself. The lesson: if a third-party caller is dialing on your behalf or under your brand, you carry the TCPA exposure. Audit the consent records and DNC scrubbing posture of every reseller, lead generator, and outsourced collections firm in your supply chain — and put indemnification clauses in those contracts that aren't pure paper.

Capital One's $75M settlement (2014) covered autodialed and prerecorded collections calls to cell phones, many of which had been reassigned from customers who had given consent to new subscribers who hadn't. This was a pre-RND case — the database that would have provided a safe harbour didn't exist yet. The lesson: "we had consent from the original number-holder" is not a defense post-2021, and the RND query is the only thing that converts "we acted in good faith" into an actual legal shield.

Wells Fargo's $32M settlement (2017) covered autodialed collections calls and arose primarily from inadequate revocation handling — customers who had asked verbally to stop being called continued to receive calls because the do-not-contact flag took too long to propagate across the bank's dialing systems. The lesson: revocation propagation latency is a TCPA risk, full stop. If your contact center can take a revocation in the morning and your SMS marketing platform can send a marketing text to the same number in the afternoon, you have a violation waiting to happen.

The smaller settlements that don't make headlines are usually variations of these same three patterns: third-party callers, reassigned numbers, slow revocation handling. Get those three things right and you cut your TCPA exposure to a fraction of what most operators carry. For US merchants who also need to think about PCI-compliant phone payment capture on the same calls, the consent and card-data architectures need to be designed together rather than bolted on separately.

Frequently asked questions#

Does the TCPA apply to my contact center if we only dial manually?

Mostly yes for some provisions, mostly no for others. The autodialer rules narrowed significantly after Facebook v. Duguid (April 2021), so manually-dialed calls from a curated list are usually outside the ATDS definition. But the prerecorded-voice rules, the SMS-to-cell-phone rules, and the do-not-call rules still apply regardless of how the call is dialed. And state mini-TCPAs like Florida's FTSA define autodialer more broadly than federal law.

Is an MFA code by SMS a TCPA risk?

The FCC has signaled that one-time security codes sent at the customer's request, within a narrow window, and limited to that single purpose fall within a transactional exemption. The risk is when the MFA message gets bundled with anything else — a marketing tagline, a promotional offer, a cross-sell — at which point it loses the exemption and reverts to needing written marketing consent.

What happens if a number we have valid consent for gets reassigned?

If you query the FCC's Reassigned Numbers Database before placing the call and get a clean response, you have a complete safe harbor against TCPA liability for that call — even if the response turns out to be wrong. The RND went live in November 2021 specifically to solve the reassignment problem. If you don't query it, the safe harbor doesn't attach and you carry the full liability risk.

Can a customer revoke TCPA consent verbally on a call?

Yes. The FCC and courts have consistently held that consumers can revoke consent by any reasonable means, including verbally to an agent. Once revoked, every subsequent call or text to that number is a potential violation. Your contact center system needs a fast path from "agent hears revocation" to "do-not-contact flag set".

How does TCPA compliance interact with PCI DSS?

They're separate regimes addressing different risks — TCPA is about consent to be contacted, PCI DSS is about protecting cardholder data — but they intersect on the same call. A typical phone-payment workflow has a TCPA-governed outbound call (or inbound consent), a PCI-governed card capture leg, and a TCPA-governed confirmation message. Paytia handles the PCI side via DTMF masking; the TCPA side stays with your contact center platform and your consent records.

What are the biggest TCPA settlements?

DISH Network paid $280 million in 2017 for prerecorded telemarketing calls made by a subcontractor. Capital One settled a TCPA class action for $75 million in 2014. Wells Fargo settled for $32 million for autodialed collections calls. The pattern is consistent: high-volume outbound calling without rigorous consent records, multiplied across millions of consumers, multiplied again by the statutory damages.

What's the difference between negligent and willful violations?

Statutory damages run $500 per negligent violation (called "strict liability" by some commentators because intent isn't required) and $1,500 per knowing or willful violation. Courts have generally found "willful" doesn't require specific intent to violate the TCPA — only that the caller intended to make the call and either knew or should have known the call violated the statute. A pattern of repeat calls after a revocation, ignored DNC scrubs, or skipped RND queries can all support a willfulness finding, which triples the per-call exposure across the entire class.

How does the federal Do-Not-Call Registry interact with TCPA?

The DNC Registry sits under the Telemarketing Sales Rule (FTC) and TCPA (FCC) jointly. Marketing calls to residential numbers on the registry without an existing business relationship or written consent are violations under both regimes. The registry doesn't cover most B2B calling, doesn't cover established business relationship calls within an 18-month window, and doesn't cover informational (non-marketing) calls. But once a number is on the registry, the burden is on the caller to prove an exemption applies — not on the consumer to prove it doesn't.

What about ringless voicemail drops?

Ringless voicemail technology — where a message is deposited directly into a voicemail inbox without ringing the phone — was originally marketed as outside TCPA scope because no "call" is placed. The FCC declined to grant a petition for that interpretation, and the courts that have addressed it (notably the Eleventh Circuit in Saunders v. Dyck O'Neal, 319 F. Supp. 3d 907) have treated ringless voicemail as a "call" subject to the TCPA. Treat ringless voicemail as TCPA-regulated in the same way as a prerecorded call.

Does TCPA apply to international calls into the US?

Yes. The statute applies based on where the call is received, not where the dialer sits. A call placed from a Manila, Mumbai, or Dublin contact center into a US phone number is squarely within TCPA. The same consent, RND, DNC scrubbing, and time-of-day rules apply, and the same statutory damages are available to the US recipient. International callers have been sued successfully under TCPA, although jurisdictional service can complicate enforcement.

For the product side, see our Agent-assisted payments solution.

Running TCPA-sensitive payment flows in a US contact center? Have a quick chat with us — we'll show you how Paytia sits alongside your existing dialer and consent platform.

Related Articles

CCPA for Payment Processors: A Practical Guide
PCI Compliance

CCPA for Payment Processors: A Practical Guide

The California Consumer Privacy Act treats card data as personal information. If you've got Californian customers and any of three threshold triggers apply, you owe them rights you might not have built for yet. Here's what changes for payment workflows.

Read more →
NYDFS 23 NYCRR 500 for Payment Companies
PCI Compliance

NYDFS 23 NYCRR 500 for Payment Companies

If New York's Department of Financial Services has authorized your business, 23 NYCRR 500 sets the cybersecurity bar — and the 2023 and 2024 amendments raised it significantly. Here's what's in scope, what's new, and where phone payments fit in.

Read more →
50-State Data Breach Laws for Payment Firms
PCI Compliance

50-State Data Breach Laws for Payment Firms

Every US state has a breach notification law, and they don't agree on much. Federal layers stack on top. If you take card payments across state lines, here's how to think about your obligations when something goes wrong.

Read more →

Ready to take secure payments?

Book a demo with our team. We'll show you DTMF masking live, talk through PCI DSS scope reduction, and put together pricing based on your call volume.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoContact us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia